The auditd daemon can be configured to halt the system when the audit logs are full. In high security contexts, the risk of detecting unauthorized access or nonrepudiation exceeds the benefit of the system's availability.
Solution
Set the following parameters in /etc/audit/auditd.conf: space_left_action = email action_mail_acct = root admin_space_left_action = halt